---
feature_name: Upgrade Insecure Requests
chrome_version: 43
feature_id: 6534575509471232
additional_head_content: <meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
---

<h3>Background</h3>
<p>
  The "<a href="https://w3c.github.io/webappsec/specs/upgrade/">Upgrade Insecure Requests</a>"
  <a href="http://www.html5rocks.com/en/tutorials/security/content-security-policy/">Content Security Policy</a>
  can be used to automatically upgrade insecure (e.g. <code>http:</code>) requests to
  a secure alternative (e.g. <code>https:</code>) before a browser fetches them.
</p>
<p>
  In practice, this helps avoid mixed-content warnings when a page is accessed via
  <code>https:</code>, but it contains references to resources using absolute
  <code>http:</code> URLs.
</p>
<p>
  Like other Content Security Policies, the recommend approach is to enable it via a HTTP
  response header, <code>Content-Security-Policy: upgrade-insecure-requests</code>. However,
  if you do not have control over the underlying web server (as is the case in this demo), an
  <a href="http://www.html5rocks.com/en/tutorials/security/content-security-policy/#the-meta-tag">alternative</a>
  is to include the
  <code>&lt;meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests"&gt;</code>
  tag in your HTML's <code>&lt;head&gt;</code>.
</p>
<div class="output">
  <p>
    The following image is loaded with an explicit <code>http:</code> URL,
    <code>http://googlechrome.github.io/samples/images/touch/chrome-touch-icon-192x192.png</code>.
    Because this page has <code>Content-Security-Policy: upgrade-insecure-requests</code>
    active, the <code>http:</code> is treated as <code>https:</code>, and no mixed-content
    warnings are displayed.
  </p>
  <img src="http://googlechrome.github.io/samples/images/touch/chrome-touch-icon-192x192.png">
</div>
